Design For Validation 

Based on Formal Methods 
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VALIDATION OF ULTRA-RELIABLE SYSTEMS 



Achieving Ultra-Reliable Software 




Life- Testing 
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1. Separate Design/Implementation Teams 






The Big Problem For Design Diversity Advocates 
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Quantification of N-version programs not feasible in the ultrareliable 

regime 
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How do we get ultra-reliable numbers for hardware (physical 
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THE INDEPENDENCE ASSUMPTION CANNOT RE DEMONSTRAT 
FOR MULTI-VERSION S/W IN THE ULTRA-RELIABLE RE- 
GION 



The Danger of Design Diversity (N-version Programming, Recovery 

Blocks, etc.) 
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Design For Validation 
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This is accomplished analytically. 
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there is a single-point failure in our system an include it in our reliability model 
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rerun the model to get a closer value: 
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Designing System with Much Higher Reliability 



The value of C must now be greater than 0.9999982. 

It can be shown that over a million fault injections would be required to measure this parameter 
even if we are very optimistic about the testing process 

If each injection required 1 minute, this would require almost 1.9 years of non-stop fault injections. 



A better Way — via Design For Validation 
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WHY FORMAL METHODS? 
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Draft Interim Defence Standard 00-55 
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Levels of Formal Methods 
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